Tag Archive for Data

| November 25, 2014
Comments Off on Encryption on the Internet Primer

Encryption on the Internet Primer

Encryption on the Internet PrimerI spoke to several of my mother’s friends the other day. They were all worried about being on the web. Kudos to these ladies for being connected at all (they are in their 70’s and 80’s), They also get a gold star for being alert enough to recognize that something on the ol’ Intertubes has changed recently.

Data theftThey hear that their information is being stolen at the banks and stores they frequent. One neighbor lady even said she was worried but the government stealing her data. I explained to the group that I too am concerned about how it seems everyone on the web is under attack lately.

I gave them the usual pointers. Don’t trust anything on the web.  Have someone (not me!) help keep their anti-malware and systems up to date. And use encryption if possible.

Navajo Code Talkers

Of course, none of my mother’s neighbors had heard of encryption. I explained to the ladies that encryption means changing a message so that anybody who heard the message would not understand it unless they knew how the message was changed. I used the example of Ig-pay Atin-lay.

  • An-cay ou-yay eak-spay Ig-pay Atin-lay? = Can you speak Pig Latin?
  • I-way ave-hay a-way ecret-say = I have a secret.

 

Then of course I was outsmarted. One of the wNavajo Code Talkers during World War IIomen chimed out, Oh like the Navajo Code Talkers during World War II. (Next time I will start with the smart answer and then go to the Pig-Latin.)  These ladies lived through the shhesh,

So that got me thinking, what does the end-user really need to know about encryption? Sure there are PKI’s, Salted hashes, Block-ciphers, and …. none of which mean anything to the end-user.

What users need to know about encryption

Miguel Leiva-Gomez at MakeTechEasier.com recently explained what beginners need to know about encryption. He says that encryption is a practice in cryptography where a piece of data is obfuscated (manipulated) in a mathematically predictable way. The manipulation makes it very difficult to recover its contents. The author says it is like my pig-Latin example, but much more complex. The mathematical equations used to encrypt (and decrypt/decode) things are called cryptographic algorithms.

These cryptographic algorithms are needed because hackers are getting smarter and sneakier. They’re compromising databases left and right. To protect your data from attacks system owners should use these algorithms to mathematically jumble up all your personal data Jumbling the data (encrypting) making it difficult (if not completely impossible) for a hacker to steal your data from that database. Mr. Gomez claims that encryption basically protects you from intrusion. If a hacker manages to break into a database and take your passwords, it would be reading something like “EAFC49BF4B496090EA2B7CA51674589” instead of “Mary_$mith.”

The article calls the jumbled-up text like “EAFC49BF4B496090EA2B7CA51674589” at the end of every algorithm is called a ciphertext. The decrypted equivalent is known as plaintext. These are very important words to remember when discussing cryptography.

The author explains that there are two ways that the plaintext “Mary_$mith” gets turned into the ciphertext to “EAFC49BF4B496090EA2B7CA51674589” and then back to plaintext “Mary_$mith.” The first method is called a symmetric algorithm:

Symmetric algorithms use a key to Symmetric algorithm:encrypt and decrypt data. The key is basically the “x” that will solve for “y” in the mathematical algorithm. The length of the key and some other properties of the algorithm determine its “difficulty.” The more difficult an algorithm is, the more difficult it is to crack it. A difficult algorithm requires immense amounts of computing power to crack. The kind of horsepower that is usually out of reach from run-of-the-mill hackers. More sophisticated attacks might use computer clusters to decipher your data. Even then, some symmetric algorithms might thwart these attacks.

Asymmetric (public key) algorithms.The second-way plaintext gets turned into the ciphertext and then back to plaintext are called Asymmetric (public key) algorithms. Asymmetric algorithms split the key into two pieces. The first is a public one (usually stored in the server). The second piece is a private one (usually stored in your computer by software). Mr. Gomez writes that asymmetric algorithms get their strength from this particular technique since a hacker will not be able to read the contents of your data even if he gets his hands on the public key (it’s only half the key).

rb-

In the end, no algorithm is created equally. All of them have some flaw or another that will be discovered in the future, so it’s difficult to know what services you should rely on.

The best advice is still the oldest advice. Look for URLs that start with HTTPS and have a little green lock in the URL line. This means some part of the connection is encrypted with Secure Socket Layer (SSL) an Asymmetric (public key) algorithm. The Internet is on the verge of a move to a more secure Asymmetric algorithm called Transport Layer Security (TLS) 

That’s why the age-old advice to keep your PC up to date is critical for keeping your personal data safe.

Related articles
  • Navajo, Pawnee Code Talkers remembered on Veterans Day (KOB.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , ,
| November 6, 2014
Comments Off on Email Etiquette is Good For You

Email Etiquette is Good For You

Email Etiquette is Good For YouWho remembers when email was a new and exciting technology that the Intertubes brought us? Did AOL’s You’ve Got Mail! Make you giddy? They made a whole chick-flick about it starring Tom Hanks and Meg Ryan. I am pretty sure that thrill has worn off by now. According to marketing researchers, the Radicati Group predicts that by 2015 the average email user will send or receive 125 emails a day. Many of the emails are loaded with threats as I have pointed out here again and again. The ubiquity of email has caused some users to take email for granted and let their guard down.

2015 the average email user will send or receive 125 emails a dayRelaxed vigilance has led to some high-profile incidents where sensitive business information was exposed via email. Research indicates that at least 22% of companies have experienced an accidental or malicious leak of sensitive or confidential information by employees through email in the past 12 months. While it is may be bad for the firm, it could cost you your job. Here are some tips which will make your emails more effective and more secure:

Treat emails like business letters

It’s better to be more formal than too casual when you want to make a good impression. For example, use a person’s surname until they respond by signing their email with their first name. Never write anything in an email message that you wouldn’t want both your boss and your mom to read!

Company email is never private

If you want to Treat emails like business letterssend someone confidential or time-sensitive information, use the phone or meet in person. Emails can be duplicated, forwarded, and printed; anything unfortunate you write could come back to haunt you or your employer. Never use your employer’s email system to look for your new job. That move could cost your current job and the next one too.

Be cautious about the “reply all” feature

If you receive an email that was sent to a multitude of people, including yourself, reply only to those who need a response. Hit “reply all” only if it is crucial that every person on the distribution list see your response. In many cases, the sender is the only person who requires a response. Misuse of “reply all” is a key way in which sensitive business data slips outside the network.

Take care with email attachments

Never open attachments from unknown sourcesNever open attachments from unknown sources. And before sending attachments yourself, find out if the recipient wants them. Bogus attachments remain one of the most popular ways for cyber-attackers to gain a foothold in business networks, and it’s very easy for hackers to imitate legitimate email addresses.

This infographic includes some pretty amazing stats about email. Did you know?

  • The average user creates 5,000 email attachments every year?
  • There are 6 copies of each attachment made?
  • The government reads over 250 million emails annually?

That is why email etiquette is important.

Data Running Wild Infographic

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| June 24, 2014
Comments Off on Heartbleed Old News – Servers Still Vulnerable

Heartbleed Old News – Servers Still Vulnerable

Proof that data breaches like Code Spaces, P.F.Chang’s, Domino’s, Target, Neiman Marcus continue to be inevitable. The Verge is reporting that the Heartbleed Open SSL bug is still running rampant. Despite the initial panic several months ago when Neel Mehta of Google’s (GOOG) security team discovered the major bug which put over a million web servers at risk, the threat is old news.

600,000 still vulnerable to Heartbleed

Being old news does not mean the problem’s solved according to the article. They cite security researcher Robert David Graham who found that at least 309,197 servers out there on the interwebs are still vulnerable to the exploit.

Immediately after the announcement, Mr. Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, only 9,042 of those servers have been patched to block Heartbleed. The author says that’s cause for concern because it means that smaller sites aren’t making the effort to implement a fix.

Affects the OpenSSL protocol

The Verge concludes that it’s likely that the lightly trod corners of the internet will remain vulnerable for many years to come, as sites with sub-par security standards continue to leave themselves and their users exposed. The danger is particularly real now since the exploit has been widely publicized. The bug, which affects the OpenSSL protocol used widely online, can cause some serious damage — it can be exploited to give hackers encryption keys, passwords, and other sensitive information.

rb-

I mean who do all these people think they are the NSA?

CNET has kept a running list of where you should change your password due to Heartbleed.

  1. Google (GOOG)
  2. Facebook (FB)
  3. YouTube
  4. Yahoo (YHOO)
  5. Wikipedia
  6. Bing
  7. Pinterest
  8. Instagram
  9. Tumblr
  10. ESPN
  11. NetFlix
  12. Weather.com
  13. Dropbox
  14. AT&T (T)
  15. OKCupid
Related articles

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , ,
| October 15, 2013
Comments Off on Need Cyber Insurance?

Need Cyber Insurance?

Need Cyber Insurance?Standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn’t tangible says Network World. The ruling that data is not tangible goes back to a 2000 ruling by a U.S. District Court. The article explains the ruling arose from an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc.. In that case, the court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.

Courts ruled data is tangible propertyAfter that, the insurance firms changed their policies to state that data is not considered tangible property,Kevin Kalinich, national managing director for network risk at Aon Risk Solutions told Network World. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.

Larry Ponemon, chairman of the Ponemon Institute, told Network World that the resulting complexity is a major source of push-back by potential buyers. “The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are.” Mr. Ponemon told the author, “Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want.”

Network World describes the types of cyber coverage available.

cyber coverages availableData breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring, and credit restoration services for the victims, and other crisis management services, Ken Goldstein, vice president at the Chubb Group, told Network World. “You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts.”

Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.

Cyber extortion coverageCyber extortion coverage: For cases where a hacker steals data from the policyholder and then tries to sell it back, or someone plants a logic bomb in the policy holder’s system and demands payment to disable it. Among other things, the policy should cover the cost of a negotiator, and the cost of offering a reward leading to the arrest of the perpetrator, Chubb’s Goldstein says.

Virus liability: Pays in cases where the policyholder is sued by someone who claims to have gotten a virus from the policy holder’s system.

Chubb logoContent liability: Covers lawsuits filed by people angered over something posted on the Web site of the policyholder. Such coverage should also cover copyright claims and domain name disputes, INSUREtrust’s Haase told Network World.

Lost income coverage: Replaces revenue lost while the policy holder’s computer system or Web site is down. But Aon’s Kalinich notes that insurers often apply minimum downtimes of 12 or 24 hours, or require proof of actual losses, “They’ll say that, after all, the customers who did not get through (during the outage) could have come back later.”

AON logoLoss of data coverage: Pays for the cost of replacing the policy holder’s data in case of loss, “Backup policies are not always effective, and accidents and sabotage happen,” Mr. Haase says.

Errors and omissions coverage: Otherwise known as O&M policies, this type of coverage predates cyber insurance, but is increasingly added to cyber policies to cover alleged failures by the policy holder’s software, Haase says.

Errors and omissions coverageAs for what coverage costs, Aon’s Kalinich told Network World that firms smaller than $100 million in annual revenue can expect to pay $5,000 to $15,000 per million of coverage, while larger firms would pay $10,000 to $25,000. For those over a billion, the price can be in the $20,000 to $50,000 range. Robert Parisi, senior vice president with Marsh, an insurance broker, and risk advisory firm put it simpler, saying the cost is between $7,000 and $35,000 per million. Of course, the lower ranges are for buyers who look like better risks — and deciding who is a better risk is another factor that makes cyber insurance a complex topic.

You cannot get good insurance unless you have good security practices,” VP Kalinich says. “Due diligence underwriting has become more streamlined as the insurers have learned what to look for. They will typically benchmark you against other members of your industry.

15% of the premium goes to commissionsINSUREtrust’s Haase explained the cyber insurance purchase process to the author, “This is a complex purchase and you need a professional helping you. Most policies are highly customizable, and there are a lot of endorsements.” Typically the buyer goes to their local agent, and the local agent uses a specialist, Haase says. Both the local agent and the specialist get commissions ranging from 7.5% to 10% so that 15% to 10% of the premium goes to commissions.

Finally, Toby Merrill, vice president of insurer Ace Professional Risk cautions that cyber insurance buyers must understand that if they are outsourcing their data handling, they are not at the same time outsourcing their liability if there is a data breach. The onus of the various breach notification laws is on the organization that gathered the data, not on the organization that was storing it when it was exposed, he notes.

Cyber insurance is not there to replace sound risk management,” VP Merrill told Network World, “It is there to supplement it.

Related articles

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Data protection | Tags: , , , , , , ,
| May 14, 2013
Comments Off on Did You Wipe Your Tablet?

Did You Wipe Your Tablet?

Did You Wipe Your Tablet?Techno prognostication firm IDC says (I think they are right on this one) that worldwide sales of tablets will surpass desktop PCs and laptops by the end of 2014. This will result in a boomlet in the second-hand tablet market and a recent article on Infosecurity says that in response, firms will need to start data wipe their old tablets just as thoroughly as old hard disks to protect their data.

take responsibility for removing dataThe company is responsible for any company data held on the mobile device; no matter the flavor of BYOD practiced so it is the company that must take responsibility for removing data from the device before disposal. The Infosecurity article says that ensuring that mobile device solid-state memory is completely clean is technically difficult.

Solid-state memory

The article highlights BlackBelt, which has just enhanced its data wiping product to include Apple (AAPL) and Google (GOOG) Android tablets explained the difficulty to the author. “Solid-state memory uses a technique called wear leveling to maximize the life expectancy of the memory chips.” BlackBelt’s business development manager Ken Garner told Infosecurity,It works by spreading the binary information (0s and 1s) randomly across all the memory cells in the chip. This means that unlike on spinning disk memory, the location of the data on the user interface bears no relation to where it is stored on the drive, making traditional forms of deletion ineffective.

end users can't data wipe their mobile devicesBlackBelt says end-users can’t data wipe their phones, “it isn’t possible for an individual to perform a full removal of personal data from any smartphone or tablet using a device’s in-built factory reset or by re-flashing the operating system.” the vendor explains to Help Desk Security that wear leveling will, “over-rule instructions to permanently overwrite old data.

Solid-state memory wear leveling

Because of ‘wear leveling, neither remote wipes nor factory resets are guaranteed to remove all the data from solid-state memory. The blog points out that a low-cost product called Wondershare, can recover data from solid-state memory. Mr. Garner claims the software, “recovers just about everything after either a factory reset or a local (phone operating system) delete.

Many data wiping solutions don’t work on solid state memoryWhen a tablet is retired it is incumbent on the company to make sure that all data held on the device is adequately deleted. One problem, says Garner, is that “Many data wiping solutions, more often than not, have been “…re-purposed from data wiping solutions for traditional hard disk drives,” and that simply doesn’t work on solid-state memory.

Three-stage process to wipe SSM

DataWipe, uses a three-stage process: first writing 0s in every memory cell, secondly writing 1s in every cell, and thirdly writing random 0s and 1s across every memory cell. The result, he claims, is guaranteed data erasure that can also provide audit, compliance, and reporting data in an industry-standard XML format that is easily exchanged with all the major DLP, SIEM, policy management, and mobile device management solutions solving both the technical difficulties around tablet recycling.

difficulties around tablet recyclingWiping data from a PC or a first-generation Apple iPad that is being retired is important because of the enormous amount of data they can store. This makes the proper destruction of that data on the device essential before it leaves the organization. Unfortunately, IT asset disposition firm Retire-IT sees that many firms simply swap the devices with new ones or merely format the drives without securely wiping the data. The Columbus, OH-based firm says this leaves organizations vulnerable.  Kyle Marks, CEO of Retire-IT told Help Net Security that:

99% of problems happen before a disposal vendor touches equipment. No vendor can destroy data if they don’t receive an asset, which is why we strongly encourage clients to destroy data before any move. Better safe than sorry. Of course, disposal vendors should destroy data (again) regardless

Retire-IT looked at tracking data from 1,072 corporate disposal projects encompassing 233 different companies and reported some shocking figures:

  • 4 out of 5 projects (81.5%) had at least one missing asset.
  • 1 out of 8 (11.6%) had a negative variance. The devil is in the details, but nobody looks very closely.
  • Only 79% of the serial numbers were matched with subjective matching.
  • Without subjective matching, only 58% of serial numbers were matched.

Sanitize IT equipment

Help Net Security offers some suggestions to help sanitize IT equipment:

Computers – Derik Boot and Nuke Linux Live CD for full disk wiping. It supports many types of wiping, including the DoD 5220.22-M method with 3 passes.

sanitize IT equipmentStarting with Windows Vista (and Windows 2008 Server), the Microsoft OS overwrites the contents of each sector when you do a Slow Format on your media. They recommend Microsoft’s SDelete for wiping files on Windows.

For Apple OS X there’s the Disk Utility.

On Linux use the “wipe”, “srm” or “shred” commands to securely sanitize files on most distributions.

Printers and copiers – Consult the manual to find out how to clear the memory or use third-party software to wipe the hard drive. Which I covered here

Mobile devices – Wired recommends a hammer and don’t forget to remove the SIM card.

Related articles
  • BYOD: Preventing Breaches Can Be A Challenge (healthsecuritysolutions.com)

 

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedInFacebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: , , , , , , , , , , , , ,
« Older Entries   Recent Entries »